Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Firewall Rules not applying consistantly

Martin_Snyman
Conversationalist
‎Jul 1 2019 1:30 AM
‎Jul 1 2019 1:30 AM

MX Firewall Rules not applying consistantly

Hi, 

 

I have a 2 networks that seems to not apply Layer 3 Firewall Rules as expected.

 

Below rule should allow internet browsing for IP 192.168.4.253 but all traffic is denied. 

FSL-RULE-SNAP.PNG

On another network I configured below rule to block all ICMP traffic for testing purposes but can still ping out of network. It shows that traffic is hitting the deny rule but can still ping through. 

 

L3-RULE.PNG

 

0 Kudos
Subscribe
7 Replies 7
BrechtSchamp
Kind of a big deal
‎Jul 1 2019 2:17 AM
‎Jul 1 2019 2:17 AM

Regarding the first ruleset.

  • You shouldn't specify source ports. Source ports are chosen randomly by the operating system. They will likely not be 80, 8080 or 443. So basically the 1st rule is being skipped.
  • The second rule same thing, source port should not be specified so likely this rule is skipped again.
  • The third rule blocks all pings. I assume this is working.
  • Then the 4th and 5th rules will basically block all other TCP and UDP requests, so the skipping of the first and second rule likely result in the connections hitting this rule and being blocked.

Regarding your second problem. Are you sure the PC you're testing from is using that MX to go towards the internet? Any group policies that are overriding and giving it access?

Subscribe
In response to BrechtSchamp
Martin_Snyman
Conversationalist
‎Jul 1 2019 2:41 AM
‎Jul 1 2019 2:41 AM

Thank you, 

 

Sorted out the first one thank you. 

 

I've double checked and there is no special group policy applying to the pc. All clients on network can ping out even though the rule is specified.

0 Kudos
Subscribe
In response to Martin_Snyman
BrechtSchamp
Kind of a big deal
‎Jul 1 2019 2:49 AM
‎Jul 1 2019 2:49 AM

Good to hear.

 

For the second problem. I tested out with the same rule and it works fine here:

2019-07-01 11_45_33-Firewall Configuration - Meraki Dashboard.png

 

Is it possible there's a rule higher up that allows the pings? The first applicable rule will take the decision.

0 Kudos
Subscribe
In response to BrechtSchamp
Martin_Snyman
Conversationalist
‎Jul 2 2019 1:37 AM
‎Jul 2 2019 1:37 AM

Moved Rule to top and still allowing traffic.

 

L3-RULE.PNG

0 Kudos
Subscribe
In response to Martin_Snyman
BrechtSchamp
Kind of a big deal
‎Jul 2 2019 5:12 AM
‎Jul 2 2019 5:12 AM

Can you check with traceroute whether the MX is actually in the path a packet takes?

 

Can you also remove the IP addresses in the "Allow Remote IPs" column for the "ICMP ping" service. I think those may be interfering as I believe the MX expects the addresses to be listed here to not be present on it's LAN subnets.

0 Kudos
Subscribe
In response to BrechtSchamp
Martin_Snyman
Conversationalist
‎Jul 2 2019 5:54 AM
‎Jul 2 2019 5:54 AM

One of the first things I checked. Can confirm that its routing via MX.

 

Removed the IP's from Allowed Remote IP's and still allowing ping to go through.  

0 Kudos
Subscribe
In response to Martin_Snyman
BrechtSchamp
Kind of a big deal
‎Jul 2 2019 6:07 AM
‎Jul 2 2019 6:07 AM

Tbh, then I don't know what's going on. It seems to me that they shouldn't be going through. As a last resort I'd probably try a packet capture on the WAN port of the MX to see that I actually see those pings going out to make sure we're not overlooking something. VPN software on the laptop may be causing the traffic to be encapsulated.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.